Page 5 of 10
Last November, the Data Privacy and Integrity Advisory Committee of the Department of Homeland Security recommended against putting RFID chips in identity cards. DHS ignored them, and went ahead with the project anyway. Now, the Smart Card Alliance is criticizing the DHS’s RFID program for cross-border identification, basically saying that it is making the very mistakes the Data Privacy and Integrity Advisory Committee warned about.
I’ve written about the U.S. national ID card—REAL ID—extensively (most recently here). The Department of Homeland Security has published draft rules regarding REAL ID, and are requesting comments. Comments are due today, by 5:00 PM Eastern Time. Please, please, please, go to this Privacy Coalition site and submit your comments. The DHS has been making a big deal about the fact that so few people are commenting, and we need to prove them wrong.
This morning the Senate Judiciary Committee held hearings on REAL ID (info—and eventually a video—here); I was one of the witnesses who testified.
And lastly, Richard Forno and I wrote this essay for News.com:
In March, the Department of Homeland Security released its long-awaited guidance document regarding national implementation of the Real ID program, as part of its post-9/11 national security initiatives. It is perhaps quite telling that despite bipartisan opposition, Real ID was buried in a 2005 “must-pass” military spending bill and enacted into law without public debate or congressional hearings.
DHS has maintained that the Real ID concept is not a national identification database. While it’s true that the system is not a single database per se, this is a semantic dodge; according to the DHS document, Real ID will be a collaborative data-interchange environment built from a series of interlinking systems operated and administered by the states. In other words, to the Department of Homeland Security, it’s not a single database because it’s not a single system. But the functionality of a single database remains intact under the guise of a federated data-interchange environment.
The DHS document notes the “primary benefit of Real ID is to improve the security and lessen the vulnerability of federal buildings, nuclear facilities, and aircraft to terrorist attack.” We know now that vulnerable cockpit doors were the primary security weakness contributing to 9/11, and reinforcing them was a long-overdue protective measure to prevent hijackings. But this still raises an interesting question: Are there really so many members of the American public just “dropping by” to visit a nuclear facility that it’s become a primary reason for creating a national identification system? Are such visitors actually admitted?
DHS proposes guidelines for proving one’s identity and residence when applying for a Real ID card. Yet while the department concedes it’s a monumental task to prove one’s domicile or residence, it leaves it up to the states to determine what documents would be adequate proof of residence—and even suggests that a utility bill or bank statement might be appropriate documentation. If so, a person could easily generate multiple proof-of-residence documents. Basing Real ID on such easy-to-forge documents obviates a large portion of what Real ID is supposed to accomplish.
Finally, and perhaps most importantly for Americans, the very last paragraph of the 160-page Real ID document deserves special attention. In a nod to states’ rights advocates, DHS declares that states are free not to participate in the Real ID system if they choose—but any identification card issued by a state that does not meet Real ID criteria is to be clearly labeled as such, to include “bold lettering” or a “unique design” similar to how many states design driver’s licenses for those under 21 years of age.
In its own guidance document, the department has proposed branding citizens not possessing a Real ID card in a manner that lets all who see their official state-issued identification know that they’re “different,” and perhaps potentially dangerous, according to standards established by the federal government. They would become stigmatized, branded, marked, ostracized, segregated. All in the name of protecting the homeland; no wonder this provision appears at the very end of the document.
One likely outcome of this DHS-proposed social segregation is that people presenting non-Real ID identification automatically will be presumed suspicious and perhaps subject to additional screening or surveillance to confirm their innocence at a bar, office building, airport or routine traffic stop. Such a situation would establish a new form of social segregation—an attempt to separate “us” from “them” in the age of counterterrorism and the new normal, where one is presumed suspicious until proven more suspicious.
Two other big-picture concerns about Real ID come to mind: Looking at the overall concept of a national identification database, and given existing data security controls in large distributed systems, one wonders how vulnerable this system-of-systems will be to data loss or identity theft resulting from unscrupulous employees, flawed technologies, external compromises or human error—even under the best of security conditions. And second, there is no clear guidance on the limits of how the Real ID database would be used. Other homeland security initiatives, such as the Patriot Act, have been used and applied—some say abused—for purposes far removed from anything related to homeland security. How can we ensure the same will not happen with Real ID?
As currently proposed, Real ID will fail for several reasons. From a technical and implementation perspective, there are serious questions about its operational abilities both to protect citizen information and resist attempts at circumvention by adversaries. Financially, the initial unfunded $11 billion cost, forced onto the states by the federal government, is excessive. And from a sociological perspective, Real ID will increase the potential for expanded personal surveillance and lay the foundation for a new form of class segregation in the name of protecting the homeland.
It’s time to rethink some of the security decisions made during the emotional aftermath of 9/11 and determine whether they’re still a good idea for homeland security and America. After all, if Real ID was such a well-conceived plan, Maine and 22 other states wouldn’t be challenging it in their legislatures or rejecting the Real ID concept for any number of reasons. But they are.
And we as citizens should, too. Let the debate begin.
Again, go to this Privacy Coalition site and express your views. Today. Before 5:00 PM Eastern Time. (Or, if you prefer, you can use EFF’s comments page.)
Really. It will make a difference.
EDITED TO ADD (5/8): Status of anti-REAL-ID legislation in the states.
EDITED TO ADD (5/9): Article on the hearing.
Great essay from 1990 by Bill Holm:
No papers, no pay. It’s an interesting equation, and I think it has not surfaced before in Minnesota. Neither of my Icelandic grandfathers, for instance, had papers enough to work in Marshall, and if you’re an old Minnesotan, it’s unlikely that your grandfathers did, either. Viking wetbacks, they were.
Though Section 1324A, Title 8, of the U. S. Immigration Code was passed by Congress during my nonnewspaper-reading absence in central China, it doesn’t take much thinking to figure out its rationale: it is intended, to use the vulgar cliché, to “stem the flood” of illegal Mexican labor. It also doesn’t take much intelligence to figure out that if you’re a Mexican laborer in southern California and know you have to sign this silly form, you will promptly dummy up an “original” Social Security card and a driver’s license or birth certificate. Meanwhile, imagine Enrique Lopez, whose family has been in California since before Plymouth Rock, being abused by an officious bureaucrat because, like the rest of us, his “original” Social Security card disappeared down his Maytag twenty-five years ago. Visualize this. And then visualize the Senate debate on this legislation. As Mark Twain said, the true native American criminal class must certainly be Congress, and its behavior in this case is a nice mixture of hypocrisy, cowardice and thoughtlessness.
A friend, after hearing me in high dudgeon and confessing that he had himself signed such a form with silent misgivings, suggested that I might be more sensitive to such issues because of my recent return from China. If this is true, it is a harsh and sad comment both about me and about American citizens generally. If we have to spend a year in an authoritarian country producing papers on demand before we become sensitized to the moral and political dangers of Section 1324A, then we are already a nation of slaves, passive and agreeable, ready for Orwell’s eternal “boot in the human face.”
I’m curious what he’s thinking today.
Mennonites are considering moving to a different state because they don’t want their photo taken for their drivers licenses. Many (all?) states had religious exemptions to the photo requirement, but now fewer do.
The most interesting paragraph to me is the last one, though:
And in Pennsylvania, Dr. Kraybill said, a law requiring photo identification to buy guns has prompted many Amish hunters to hire non-Amish neighbors to buy guns for them.
Sounds like the photo-ID requirement is backfiring in this case.
This is the kind of thing that demonstrates why attempts to make passports harder to forge are not the right way to spend security dollars. These aren’t fake passports; they’re real ones mis-issued. They have RFID chips and any other anti-counterfeiting measure the British government includes.
The weak link in identity documents is the issuance procedures, not the documents themselves.
You can buy a fake U.S. Employment Authorization card (here’s a real version) for $200.
Notice how all the security features of the card are faked—very well.
The argument was so obvious it hardly needed repeating. Some thought we would all be safer—from terrorism, from crime, even from inconvenience—if we had a better ID card. A good, hard-to-forge national ID is a no-brainer (or so the argument goes), and it’s ridiculous that a modern country like the United States doesn’t have one.
Still, most Americans have been and continue to be opposed to a national ID card. Even just after 9/11, polls showed a bare majority (51%) in favor—and that quickly became a minority opinion again. As such, both political parties came out against the card, which meant that the only way it could become law was to sneak it through.
Republican Cong. F. James Sensenbrenner of Wisconsin did just that. In February 2005, he attached the Real ID Act to a defense appropriations bill. No one was willing to risk not supporting the troops by holding up the bill, and it became law. No hearings. No floor debate. With nary a whisper, the United States had a national ID.
By forcing all states to conform to common and more stringent rules for issuing driver’s licenses, the Real ID Act turns these licenses into a de facto national ID. It’s a massive, unfunded mandate imposed on the states, and—naturally—the states have resisted. The detailed rules and timetables are still being worked out by the Department of Homeland Security, and it’s the details that will determine exactly how expensive and onerous the program actually is.
It is against this backdrop that the National Governors Association, the National Conference of State Legislatures, and the American Association of Motor Vehicle Administrators together tried to estimate the cost of this initiative. “The Real ID Act: National Impact Analysis” is a methodical and detailed report, and everything after the executive summary is likely to bore anyone but the most dedicated bean counters. But rigor is important because states want to use this document to influence both the technical details and timetable of Real ID. The estimates are conservative, leaving no room for problems, delays, or unforeseen costs, and yet the total cost is $11 billion over the first five years of the program.
If anything, it’s surprisingly cheap: Only $37 each for an estimated 295 million people who would get a new ID under this program. But it’s still an enormous amount of money. The question to ask is, of course: Is the security benefit we all get worth the $11 billion price tag? We have a cost estimate; all we need now is a security estimate.
I’m going to take a crack at it.
When most people think of ID cards, they think of a small plastic card with their name and photograph. This isn’t wrong, but it’s only a small piece of any ID program. What starts out as a seemingly simple security device—a card that binds a photograph with a name—rapidly becomes a complex security system.
It doesn’t really matter how well a Real ID works when used by the hundreds of millions of honest people who would carry it. What matters is how the system might fail when used by someone intent on subverting that system: how it fails naturally, how it can be made to fail, and how failures might be exploited.
The first problem is the card itself. No matter how unforgeable we make it, it will be forged. We can raise the price of forgery, but we can’t make it impossible. Real IDs will be forged.
Even worse, people will get legitimate cards in fraudulent names. Two of the 9/11 terrorists had valid Virginia driver’s licenses in fake names. And even if we could guarantee that everyone who issued national ID cards couldn’t be bribed, cards are issued based on other identity documents—all of which are easier to forge.
And we can’t assume that everyone will always have a Real ID. Currently about 20% of all identity documents are lost per year. An entirely separate security system would have to be developed for people who lost their card, a system that itself would be susceptible to abuse.
Additionally, any ID system involves people: people who regularly make mistakes. We’ve all heard stories of bartenders falling for obviously fake IDs, or sloppy ID checks at airports and government buildings. It’s not simply a matter of training; checking IDs is a mind-numbingly boring task, one that is guaranteed to have failures. Biometrics such as thumbprints could help, but bring with them their own set of exploitable failure modes.
All of these problems demonstrate that identification checks based on Real ID won’t be nearly as secure as we might hope. But the main problem with any strong identification system is that it requires the existence of a database. In this case, it would have to be 50 linked databases of private and sensitive information on every American—one widely and instantaneously accessible from airline check-in stations, police cars, schools, and so on.
The security risks of this database are enormous. It would be a kludge of existing databases that are incompatible, full of erroneous data, and unreliable. Computer scientists don’t know how to keep a database of this magnitude secure, whether from outside hackers or the thousands of insiders authorized to access it.
But even if we could solve all these problems, and within the putative $11 billion budget, we still wouldn’t be getting very much security. A reliance on ID cards is based on a dangerous security myth, that if only we knew who everyone was, we could pick the bad guys out of the crowd.
In an ideal world, what we would want is some kind of ID that denoted intention. We’d want all terrorists to carry a card that said “evildoer�? and everyone else to carry a card that said “honest person who won’t try to hijack or blow up anything.�? Then security would be easy. We could just look at people’s IDs, and, if they were evildoers, we wouldn’t let them on the airplane or into the building.
This is, of course, ridiculous; so we rely on identity as a substitute. In theory, if we know who you are, and if we have enough information about you, we can somehow predict whether you’re likely to be an evildoer. But that’s almost as ridiculous.
Even worse, as soon as you divide people into two categories—more trusted and less trusted people—you create a third, and very dangerous, category: untrustworthy people whom we have no reason to mistrust. Oklahoma City bomber Timothy McVeigh; the Washington, DC, snipers; the London subway bombers; and many of the 9/11 terrorists had no previous links to terrorism. Evildoers can also steal the identity—and profile—of an honest person. Profiling can result in less security by giving certain people an easy way to skirt security.
There’s another, even more dangerous, failure mode for these systems: honest people who fit the evildoer profile. Because evildoers are so rare, almost everyone who fits the profile will turn out to be a false alarm. Think of all the problems with the government’s no-fly list. That list, which is what Real IDs will be checked against, not only wastes investigative resources that might be better spent elsewhere, but it also causes grave harm to those innocents who fit the profile.
Enough of terrorism; what about more mundane concerns like identity theft? Perversely, a hard-to-forge ID card can actually increase the risk of identity theft. A single ubiquitous ID card will be trusted more and used in more applications. Therefore, someone who does manage to forge one—or get one issued in someone else’s name—can commit much more fraud with it. A centralized ID system is a far greater security risk than a decentralized one with various organizations issuing ID cards according to their own rules for their own purposes.
Security is always a trade-off; it must be balanced with the cost. We all do this intuitively. Few of us walk around wearing bulletproof vests. It’s not because they’re ineffective, it’s because for most of us the trade-off isn’t worth it. It’s not worth the cost, the inconvenience, or the loss of fashion sense. If we were living in a war-torn country like Iraq, we might make a different trade-off.
Real ID is another lousy security trade-off. It’ll cost the United States at least $11 billion, and we won’t get much security in return. The report suggests a variety of measures designed to ease the financial burden on the states: extend compliance deadlines, allow manual verification systems, and so on. But what it doesn’t suggest is the simple change that would do the most good: scrap the Real ID program altogether. For the price, we’re not getting anywhere near the security we should.
This essay will appear in the March/April issue of The Bulletin of Atomic Scientists.
EDITED TO ADD (1/30): There’s REAL-ID news this week. Maine became the first state to reject REAL-ID. This means that a Maine state driver’s license will not be recognized as valid for federal purposes, although I’m sure the Feds will back down over this. And other states will follow:
“As Maine goes, so goes the nation,” said Charlie Mitchell, director of the ACLU State Legislative Department. “Already bills have been filed in Montana, New Hampshire, New Mexico, Georgia and Washington, which would follow Maine’s lead in saying no to Real ID, with many mores states on the verge of similar action. Across the nation, local lawmakers are rejecting the federal government’s demand that they curtail their constituents’ privacy through this giant unfunded boondoggle.”
More info on REAL-ID here.
EDITED TO ADD (1/31): More information on Montana. My guess is that Montana will become the second state ro reject REAL-ID, and New Mexico will be the third.
The U.S. Coast Guard is talking about licensing boaters. It’s being talked about as an antiterrorism measure, in typical incoherent ways:
The United States already has endured terrorism using small civilian craft, albeit overseas: In 2000, suicide bombers in the port of Aden, Yemen, used an inflatable boat to blow themselves up next to the U.S. Navy destroyer USS Cole, killing 17 sailors and wounding 39 others.
Terrorism experts point to other ways small boats potentially could assist in attacks for example, a speedboat could deposit saboteurs at the outlet pipes of a nuclear power plant, or hijackers aboard a cruise ship. In a nightmare scenario, suicide bombers in a crowded harbor could use small watercraft to detonate a tanker carrying ultra-volatile liquefied natural gas, causing a powerful explosion that could kill thousands.
And how exactly is licensing watercraft supposed to help?
There are lots of good reasons to license boats and boaters, just as there are to license cars and drivers. But counterterrorism is not one of them.
No, really:
“Introducing photo ID cards will help bring an end to bullying over use of ‘cash free’ cards for school meals, will assist with access to school bus services and, ultimately, can be used to add security to school examinations,” he said.
“SSTA members report frequently that young people are bullied into handing over their cards for school meals to others, thus leaving them without their meal entitlement.
“With non-identified cards this will remain a problem. If photo ID is introduced widely, then the problem will dramatically reduce.”
He said that introducing such a system would also help prepare young people for “the realities of identity management in the 21st Century”.
I agree with this:
However, Green MSP Patrick Harvie said the suggestion was troubling.
“We should be preparing young people for the reality of defending their privacy and civil liberties against ever-more intrusive government systems,” he argued.
“We’ve heard proposals for airport-style scanners and random drug testing in schools, fingerprinting is already in place in some schools. There’s a risk of creating environments which feel more like penal institutions than places of learning.
“These ID cards will do absolutely nothing to address the causes of bullying. Instead they will teach the next generation that an ID card culture is ‘normal’, and that they should have to prove their entitlement to services.”
It’s important that schools teach the right lessons, and “we’re all living in a surveillance society, and we should just get used to it” is not the right lesson.
Two men have been issued Virginia drivers’ licenses even though they were wearing outlandish disguises when they had their pictures taken at the Department of Motor Vehicles:
Will Carsola and Dave Stewart posted Internet videos of their pranks, which included scenes of Carsola spray-painting his face and neck bright red and Stewart painting the top of his head black and sticking a row of fake buckteeth in his mouth in an Asian caricature. They each enter the DMV office and return with real licenses with photos of their new likenesses.
In another video, a shaved-headed Carsola comes out of the DMV with a photo of his eyes crossed, and another friend obtains a license after spray-painting on a thick, black beard and monobrow.
The Virginia DMV is now demanding that the two come back and get real pictures taken.
I never thought I would say this, but I agree with everything Michelle Malkin says on this issue:
These guys have done the Virginia DMV—and the nation—a big favor. Many of us have tried to argue how much of a joke these agencies and our homeland security remain after 9/11—particularly the issuance of driver’s licenses (it was the Virginia DMV that issued state photo ID to several 9/11 hijackers who were aided by illegal aliens).
But few dissertations and policy analyses drive the message home more effectively than these two damning videos.
Thanks, guys.
I honestly don’t know if she realizes that REAL ID won’t solve this kind of problem, though. Nor will it solve the problem of people getting legitimate IDs in the names of people whose identity they stole, or real IDs in fake names by bribing DMV employees. (Several of the 9/11 hijackers did this, in Virginia.)
Sidebar photo of Bruce Schneier by Joe MacInnis.
